CVE-2026-41242

EUVD-2026-23678
protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 and 7.5.5 patch the issue.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75
https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5
https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1
https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg